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Mikhail Mishustin, Prime Minister 
O)MUAsmnlUIsssiiclaMmovelslecielele 


1am pleased to see at this event the leaders 
om (e]ke sw lalkcraalelte)ale me cerelal series 

and CEOs of global corporations from 

a wide range of industries and countries. 
The training Is another step in creating 

aq trusted digital environment and fostering 
an open dialogue to discuss even the most 
Challenging cybersecurity issues. Today, 
the participants of Cyber Polygon are 

gale] ¢alenenaolalegiolelaeancen ele esenenesieis 
secure digital world and a safer future 
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Klaus Schwab, Founder and Executive 
Gilatsliaaalslanalaola (em mere)alelaal(onmelaulian 


‘Technology and cybersecurity are 

of crucial Importance in this COVID era. 
One of the most striking and exciting 
transformations caused by the pandemic 
gleisw Ola\-a mele macela-seamtenaai=ne/(eice!| 
everything, both in our professional 
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lam glad that Cyber Polygon has proved 
itself as one of those brilliant initiatives 
that address the need for developing 
and enhancing global cyber resilience 

In the fight against cybercrime 

olate| cyberattacks’ 
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transformation. With electronic services gaining traction 
and the adoption of disruptive telecom technologies, many 
businesses that have switched to remote operations might 
not return to their former work patterns. 
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(o)o)ore)adulalid=xcmielenale|aat=]aliayAu OLUL OMI] <o\WiINcHmenYZ 0110018] aallarclione\slalciile 
from technology and universal interconnectivity. They coalesce 
in gangs on the Darknet, exchange data and create large-scale 
attacks, taking full advantage of people's curiosity and fear. 


According to the World Economic Forum, cyberattacks 
and data theft are the 9th most likely fallout to the world. 
The damage caused by these factors continues to increase 
and, in 2030, is projected to reach $90 trillion. 


OhVelcicelalanliatcliswelccmelsiialemealoue}(e)ey-1mlarcitcle)| lavmlemialcile 
advantage — the number of cyberattacks rose dramatically 
because of the pandemic, with most of them exploiting 

the coronavirus turmoil. In Q1 2020, Palo Alto Networks detected 
a 569% growth in COVID-19-themed malicious registrations, 
Tareqleleliavemaarclivclco-lalen evalisialialee 





This year has demonstrated that a crisis can occur 
unexpectedly. Our research reveals that 83% of companies 
have no recovery plans in place. In times of crisis, they find it 
most challenging to restore business operations and maintain 
their efficiency. A robust response plan and effective teamwork 
help to avoid such scenarios and minimise losses. Therefore, 
idalomlalerksyolsiialeml an] oleate lalesmelintarel0lr-lmerelialialem-lalem-veleler-lulela 
across all levels must not be overlooked. 


This is the reason behind Cyber Polygon — an annual 
international exercise aimed at strengthening global cyber 
resilience through raising public awareness in cybersecurity 
and developing the competencies of technical specialists. 


Tabre\e(elide)amcomeatcmtcrelalal(ers] mage) ialiale mai Alieomlcr-]aa\om e)e-lellis\~ 
their skills in repelling cyberattacks, Cyber Polygon also 
features an online conference. The key topics for discussion 
this year covered the emerging technologies that will 

shape the digital future, the role of cybersecurity given 

the fast-paced digitalisation, and measures that organisations 
elalomeatcmlaltclaar- lee) arslmeelanlaalelalinvactows male) (cm alci-10 MORE] co 

to protect the digital space. 


This report summarises the key takeaways from the lectures 
and interviews as well as the results of the technical training 
and practical recommendations based on these results. 
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Cyber Polygon is a unique event that combines the world's 
largest cybersecurity exercise for corporate technical teams 
and an online conference featuring high-profile speakers. 


‘eToys 
- develop the teams competencies in repelling cyberattacks 
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management, in a cybersecurity dialogue 


* raise public awareness in cybersecurity 


Hence, the exercise is aimed at enhancing cybersecurity 
on all levels. 


The ultimate idea behind Cyber Polygon is to ensure global 
cyber resilience and active intersectoral cooperation. 


In 2020, it was the second time the event took place, again 
with the support of the World Economic Forum and INTERPOL. 


The partners and participants involved in Cyber Polygon were 
tech companies, international organisations as well as state and 
law enforcement agencies coming from all corners of the globe. 
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With the digital world being as interconnected as it is, all its 
participants expose themselves to a number of safety risks. 
A single data breach across the ocean could trigger a chain 
reaction and spark a ‘digital pandemic across the globe. 
People, organisations and entire states may fall victim 
omtatomersir-lsitce) aloe 


The central theme for the Cyber Polygon 2020 online stream 
was the prevention of a ‘digital pandemic’. The year has 
demonstrated that a crisis may hit unexpectedly and we must 
be prepared for an emergency — to protect ourselves and entire 
(ole) sete) e-lile)aisy 
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In 2019-2020, the world witnessed a wave of massive data 
leaks — even technologically advanced companies were 

not always immune. This is why, for the technical part of our 
training, we developed an attack scenario which in real life 
would jeopardise company reputation and data. The teams 
could hone their skills in countering this type of attack in real 
itlaatcwclaleMla\ccrsillel-ltcmealomlalei(e(-ale 





Structure 


Cyber Polygon featured two parallel tracks: 
1. online stream for a wide audience 


2. technical exercise for cybersecurity teams 
icelanme)aelcialisrclulelars | 





Live Stream y 


The live stream featured top officials from international rs Fs Si 
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the current cybersecurity trends and risks, and discuss how | 
to avoid a ‘digital pandemic. 


The event was launched with opening statements 

from the honorary guests: Mikhail Mishustin, Prime Minister 
of the Russian Federation, and Klaus Schwab, Founder 

and Executive Chairman, World Economic Forum. 


The live stream also featured Herman Gref, CEO, Chairman 

of the Executive Board, Sberbank; the Rt. Hon. Tony Blair, 
Prime Minister, Great Britain and Northern Ireland (1997-2007); 
Jurgen Stock, Secretary General, INTERPOL; Troels Oerting, 
Chairman of the Advisory Board, the World Economic Forum 
Centre for Cybersecurity; Nik Gowing, BBC World News 

main presenter (1996-2014): Founder and Director, Thinking 
the Unthinkable; Vladimir Pozner, Journalist and broadcaster; 
as well as senior officials from ICANN, Visa, IBM and other 
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viewers from 57 states. Such a broad outreach is indicative ae 
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as a global issue that can only be combated through joint efforts. 
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The technical exercise attracted 120 of the largest Russian 
a laleMialcciaatele(e)aro]me)celclalisyolu(e)a\smiceaaWacmecele Alig io cme malecy~ 
included banks, telecom companies, energy suppliers, 
healthcare institutions, universities as well as state 

and law enforcement agencies. 


The teams practised response actions at the moment 
of a targeted attack that aimed to steal confidential data 
elaleme) ale\claaallarcmualomere)anley-la\ac-/elelcc lear 
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and worked on protecting their segments of the training 
infrastructure. The organisers from BI.ZONE represented 
the Red Team and simulated the attacks. 
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The exercise included two scenarios: 


| Pa Y=) r=) alec 


In the first scenario, the participants practised repelling 
a massive cyberattack in real time. 


They had to manage the attack as fast as possible 
elalomanlialiaalisomealcwa|ag(elelalme)mlalieldaar-lileamcite)(-jam valle 
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The second scenario involved investigating the identified 
[ateile(<iaim o\varsle)e)\yilaleman\elhdlelare] mie) acia\si[erseclsm cll EclS 
Threat Hunting — a method whereby specialists 

oro) alialecelels)\aalel aime) mualccrolesmo)ymantclalercliNaclarclNVSiale 
security events from various sources, rather than waiting 
for security alerts to go off. 


The teams also practised collaboration with law 
enforcement agencies: based on the information gathered, 
they composed a dossier for INTERPOL that in real life 
would help law enforcement to locate the criminals. 


OhVel-10 exe) \V,0 eam elcler-laalcmealcmilecialaltcisarclule)arclmc\ccrale 
for corporate teams of such format and scale. 
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How Did It Go 


This year, we made our technical training scenarios as close 

to real-life situations as possible. To achieve this, we implemented 
a complex technical infrastructure, with over 400 virtual machines 
rolled out. Further, preliminary load testing was conducted 

to ensure smooth operation of all systems during the event. 


In the run-up to the exercise, we released a Series of technical 
articles. The publications helped the participants improve their 
knowledge of the topics covered in the scenarios and prepare 
oXoiatcimnce)mutatcmeecl[allale mm Maliou (cl (em ealom rele] aler-lileame)melelmelele)iie 
knowledge library, which is being enriched on a continuous 
basis. 





The event featured the world's first public exercise for corporate 
teams where the Threat Hunting method was applied. 

We are especially pleased to realise that for many teams 

Cyber Polygon became the first opportunity to master 

this technique and thereby gain new practical experience. 

We strongly believe that such initiatives are an effective tool 

in enhancing cyber resilience through knowledge sharing. 
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What Is Next? 





With the accelerated rate of digitalisation, the level 

of cybercrime will also continue to rise. In order to withstand 

a large-scale cyber threat, the global community needs to unite 
its efforts and establish collaboration at all levels: practise joint 
mitigation of cyberattacks, expand technical skills, and engage 
in open dialogue on key global cybersecurity issues. 


Such events as Cyber Polygon are instrumental in achieving 
these goals, as they already allow experts from participating 
organisations to increase their skills and draw the attention 
of a wider audience to the issues of cybersecurity. 


VAN (cmoro)aliialel-mcomelcaVc1(e)omee-llaliare mele) ece)muelalid(cxsmconcieccrareliatcia 
global cybersecurity and ensure a secure digital world 
and we invite you to join the next Cyber Polygon in 2021. 


We hope that the results and conclusions of this year's training 
presented in the report as well as the knowledge of invited 
)dOl<]MISHAVAVI Ole alclalendalomciallcomere)aalaalelalinvarclalemcialcle)(cnels 

to develop practical measures to improve global interaction 

in the fight against cybercrime. 
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Cyber Polygon 2020 attracted a variety of organisations 
from a range of industries: global corporations, small 
and medium businesses, international organisations 
and government structures, law enforcement agencies 
elalemalcrs|italere| com larsiaieune(olarsy 
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of cybersecurity issues and the importance of such 
exercises across the board. 





Pa rtners 


IBM 
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technology employer in the world, delivering services 

[ale WAC Kerolulaiiai=rswml=)\V msm erele] alidhycmsxe)|U1u(e)alcwra] ace mer (el0leme)(-lare)eaars 
help transform institutions, communities and the quality ot life. 
It is a leading provider of high-value solutions and services 

to clients in a variety of industries, including government, 
telecommunications, healthcare, finance, retail, oil and gas. 


ICANN 


A not-for-profit public-benefit corporation and a global 
community. ICANN's mission is to ensure a stable, secure, 
and unified global Internet. The company oversees unique 
fol=laldiitciacmuar-lmrel|(e\imere)aa|elelccigsme)amtalcmlalt-lga(-1mcon(eleri(-nelal= 
another. ICANN ensures universal resolvability — users receive 
the same predictable results when they access the network 
ice) aae-laNaalclicmlamealom ize) alen 
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continents, except Antarctica. The technical training attracted 
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gathered 5 million spectators from 57 states. 
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Chemical industry 
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Aerospace engineering 
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be the same again 
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transitioned to remote work and are more and more reliant 

on electronic services. Effective interaction demands new 
oxe)anlanlelalierclilelamant-italelelcwc| elem rc isil-lmercir-mlrclarsjaaliccie)ap 

Such changes pose not only additional risks and challenges 
to businesses, but affect people's way of life. In a dynamic 
icere1al ale) (ele |[er>1m=1ahvulne)alaaicialarsialemc|am|alelccrols)/alel\mlaltqiaere)alalcreiccre 
world, cybersecurity has become and will continue to be 

the main focus. 


‘COV/ID-19 has accelerated various processes. Before the pandemic, 
we had been rather critical of digitalisation because of all 

the problems brought about by the new technologies. Now, 
everybody is beginning to understand that this process is inevitable, 
we need to move forward and cybersecurity plays a great role 

in tech innovation’ 


Herman Gref 











We will probably never go back to the times we had before — we 

will not go back to the offices. | think that more people will work 
from home, we will have a more flexible work relationship, which 
also means that the challenges we are dealing with now will remain, 
and we need to be ready to face them. 


Troels Oerting, Chairman of the Advisory Board, 
the World Economic Forum Centre for Cybersecurity 


5G will be the platform for the society, for hospitals, for public 
transport, for everything that is to be connected. You need to have 
absolute trust in the underlying infrastructure, hence there 

Is a high demand for security. Today, we cannot even imagine 
what capabilities the new 5G network will enable, and artificial 
intelligence will obviously be one of the key features of our 
technologies and tools in the development of new application 
services. Al can be used for predictive analytics to improve 
performance, maintenance and security of the network. 


Sebastian Tolstoy, Head of Eastern Europe & Central Asia 
and General Director Ericsson Russia, Ericsson 


| believe the Internet of Things will be one of the biggest game 
changers. Industrial aqutomation will bring the most added value 
globally over the next 10 years and that will be based very much 
on the Internet of Things’. 


Alexey Kornya, President, CEO, Chairman of the Management Board;M¥S 


State structures 
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revolution 
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changes: not only to search for new tools and ways 

of interacting with people and businesses, but also to ensure 
the safety of such interaction. A digital identity can become 
one of the effective ways of communication between the state 
and individual citizens. However, this is only possible provided 
that privacy and data protection is properly regulated. 


lf Clement Attlee, who served as Prime Minister in the UK from 

1945 to 1951, came back to Britain today, he would see a country 
completely transformed in the way we work, in the way we live, 

in technology, in living standards, in its class structure. But then, when 
he went back into government, he would find himself completely 

at home, as everything would be familiar. The government Is always 
the last to change, and the problem with cyber threats is that we 
cannot offord the government to take 10 years to catch up because 
at that time the damage will be too great’. 

The Rt. Hon. Tony Blair, Prime Minister, 
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attacks and registrations of malicious sources has increased, 
elaleMtalomecciale Misme)t-10|[eitcre mene] ce) ivr 


‘Cybercriminals are developing and boosting their attacks 

at an alarming pace, exploiting the fear and uncertainty caused 

by the unstable social and economic situation created by COVID-19. 
We have seen a steep increase of new narratives in online scams, 
phishing approaches and targeting of critical infrastructures: health 
service ransomware, attacks on hospitals, exploiting the need 

for personal protective material and medical research’ 


Jurgen Stock 


Whenever there is a global crisis or an event of public significance, 
there is always an uptick in criminal activity related to such 
events. Therefore, it is understandable that people out there 

are clicking on emails or website links or report downloads that 
promise to provide updates on such events and thereby being 
lured into certain situations, and COVID-19 is no exception’ 


Dhanya Thakkar 


6,000% — global growth 
In COVID-19 related soam 
In March—May 2020) 


Critical infrastructure 
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Healthcare, the financial industry, government agencies, 
manufacturing, IT and telecom are at greatest risk. Being 

the most frequent targets of attacks, such organisations incur 
enormous losses. However, healthcare and manufacturing 
are the least protected due to the use of outdated equipment. 
Further, their IT infrastructure is often unable to quickly detect 
an intrusion as well as manage its consequences. 


‘What we are seeing now is cases of attackers squatting within 
organisations undetected for months, if not longer, and they 
have really taken their time and patience to understand the lay 
of the land and determine when and where they can wage 

a ransomware attack, how to deploy the software, and then 
demand money. |n some recent cases, we have seen as much as 
\Wrom eal evaM elsiaienselele aime caselaseleay 


Wendi Whitmore. \ 


‘Calculation shows that a six-hour blackout in mainiand France 
could cost $1.5 billion. The electrical utilities, the hospital systems 
were not designed for the era that we are in today, so we need direct 
collaborations with industry leaders in different sectors — electricity, 
energy, healthcare, aviation — to help them strengthen their cyber 
posture, to increase qwareness of the underlying threats: 


Jeremy Jurgens, Chief Business Of 


260% — increase In malicious 
COVID-related URLS 
In February—March 20207 


Fake news poses 
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channels at record speeds. However, data on the web 
is not always trustworthy. In the era of digitisation, fake 
news has become a dangerous weapon being used 

by cybercriminals to attack people and organisations. 


‘The speed with which the digital reality is changing Is far 
faster than any regulations can ever be constructive’. 


Nik Gowing, BBC World News main presenter (1¢ 


‘We should rely on ourselves when trying to protect against fake 
news: we need a good education, critical outlook, we need 
to compare the facts and analyse the incoming information. 
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for a Cyber Crisis? 
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plan is essential 


A crisis does not care for time or place. An emergency can 

befall any industry or company, whether now or in the future — 
cyber space being no exception. One of the effective ways 

ie) ae) cer-]alisy-ldlelatswc|alemtaloM=alticome|(e)ey-1mere)aalanlelaliaymlen e\ome)t-18/-¢-16 
for such situations is to develop and implement an emergency plan. 


A cyber incident or attack can turn into a crisis if you have little 
capability or capacity to deal with it. If you are well-prepared, you 
can be more resilient and effective in responding and mitigating 
such events’. 


Craig Jones 
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across all levels 


Businesses should take measures to enhance their cyber 
resilience: implement best practices in risk management 
and conduct regular security audits of their systems. They 
need to create strong teams to ensure secure operations 
as well as develop, test and implement crisis management 
elalemelUlsiialersismerelaiiialeliavae)iclarcy 


‘Risk management Is everyone's responsibility. Every person within 
an organisation is responsible for identifying and reporting risks 
and/or breaches to security protocol. This, of course, must be 
supplemented by a resilient security infrastructure and robust tools 
and capabilities to spot and mitigate accidental incidents, which 
can be caused by only one click on the wrong link’. 


Hector Rodriguez, Senior Vice President, Regional Risk Officer 


| do not believe that we can put the expectation for security on each 
Individual. | think we need to make them aware of what the risks 
and the challenges are, but we actually also have to move towards 
models that are not dependent on single individuals who can 

be manipulated or perhaps fail to understand the implications 

and therefore put entire organisations and institutions at risk’. 


Jeremyniurgene-Chief Bisisese°eitice 


In this negative picture of the increase in attacks there is a good 
thing: we have rarely seen anything so new and so novel! that we 
are not really ready to defend against them. Many organisations 
are doing that very successfully and, in particular, those that have 
threat intelligence tailored towards their industry. They have a good 
understanding of what their particular attack surface looks like’. 


Wendi Whitmore, Vice President of IBM X-Force Threat Intelligence 


a Training, education and preparation of every employee, 
Q regardless of their competencies and roles, should be 


cr recognised by businesses as a strategic priority. Each staff 7% 
) member at their respective level must understand security + 
> policies and procedures and know in advance how to act at 


in an emergency. 


‘Regular phishing and awareness training Is really important, 

as Is analysing the results of the training to help understand how 
many employees click through. However, it is really easy to run 

the same old phishing simulations week-on-week, so it is important 
to think of new ways to test employees and make them think. There 
does not have to be a penalty around it that makes everybody upset , 
or worried about the training, but you do need to think about how 

to challenge the organisation. 


Jacqueline Kernot, Partner in Cybersecurity, Ernst & Young 


‘We need to continue with the pace of introducing cyber hygiene 
rules as criminals do not want to invest 1 dollar to steal 50 cents, 
they want it automated, so if it is too difficult, they will move 

on to somebody else’. 


Troels Oerting, Chairman of the Advisory Board, 
the World Economic Forum Centre for Cybersecurity Pn 
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Effective protection 
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or a lone individual. In a highly interconnected world, a single 
cyber attack can spread exponentially across the global 
community. This situation can be prevented by promoting 
collaboration between the public and private sectors and 

law enforcement agencies. Furthermore, efficient interaction 
requires the implementation and regulation of a range 
O)MRSiK~lalel-]n@lsymtalou=y.coralclale (mel [alie)anay-lile)anclalemocir-le)iicialiare 
trustworthy relationships. 


As for a global community, awareness, education and prevention 

are vital. As the head of an organisation that unites law enforcement 
worldwide, | can say that we need even greater cooperation 

and information exchange in tackling the threat of cybercrime. 


Jurgen Stock 
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cybercrime — this could be international conventions 
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Petr Gorodov 


‘Regulatory frameworks and government intervention 

In the cybersecurity soace are important. | have certainly had 
clients tell me that it is government intervention or regulation 
that has made them change the way that they operate’ 


Jacqueline Kernot, Partner in Cybersecurity, Ernst & Young 


‘We at ICANN understand the domain name system and the DNS 
Industry probably as much or better than anybody else out there. 
So one of the things we can do, Is to work with those who combat 
criminality to helo them understand the effects of their actions 
and to make sure that they get the results they intend’ 


John Crain, Chief Security, Stability & Resiliency Officer, ICANN 


60% — share of cloud attacks 
that used previously exploited 
data and vulnerabilities? 


3 WW. Whitmore, source: IBM X-Force 


‘We want to have a world that is collaborative, so we are Now 
building a network of cyber volunteers out of the capable 
and the willing in order to work collectively to achieve cyber peace’. 


Stephane Duguin, CEO, CyberPeace Institute 
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The training was essentially a challenge between two 
opposing sides: the Red Team (the attacker) vs the Blue Team 
(defence teams). 


The participants acted as the Blue Team. They had to perform 
a variety of tasks: assess infrastructure security of a fictional 
organisation CyberCorp, search for and remediate potential 
vulnerabilities as well as identify and respond to security 
fateltetcialiss 


The organisers (BI.ZONE) assumed the role of the Red Team 
seeking to compromise the secured systems by identifying 
and exploiting weaknesses in CyberCorp's infrastructure. 


Each participating team was given access to their own 
dedicated IT infrastructure under the guise of CyberCorp. 
The infrastructure was created specifically for the training 
and was deployed on an IBM cloud. 


The training had a range of distinctive features: 


It was targeted at corporate teams, rather than individuals, 
for the participants to practise collaborative teamwork. 


Given that the attack was carried out by the organisers 
themselves, all the teams were on an equal playing field 
and had the opportunity to objectively assess their capabilities. 


The companies did not risk their reputation: the teams 
were assigned numbers to disguise the real names of their 
(o)cetelalisveltlelalss 


The participants own business IT infrastructure was not 
lave) icon 


Scenario 1. Defence — the teams developed their skills 
in repelling a large-scale attack in real time. 


Scenario 2: Response — the participants investigated 
the incident using traditional computer forensics 
and Threat Hunting techniques. 
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According to the first scenario, CyberCorp's infrastructure 
included a public service, which processed confidential client 
information. This service became the subject of interest 

to an APT group. Cybercriminals were going to steal 
confidential user data in order to receive financial benefits 
and cause damage to company reputation. The APT group 
Studied the target system in advance, discovered a number 
of critical vulnerabilities and carried out an attack. 
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at the moment of the attack. They were expected to find and 
eliminate the vulnerabilities in the service as fast as possible 
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The amount of leaked data was assessed by the number 

of flags that the APT group was able to steal. The teams had 
to analyse the service code, the attackers network activity 

and determine which vectors were used to conduct the attack 
and seize the flags. They were allowed to apply any methods 
to defend their infrastructure, provided that they did not disrupt 
service operations. 


The first scenario accumulated some of the best ideas found 
in modern training activities (Attack-Defence CTF, Red 
Teaming) as well as cybersecurity courses. 


Selecting the data breach attack scenario, where a web 


application vulnerability is exploited, was done for good reason: 


web applications remain one of the most popular attack 


vectors. According to the Verizon Data Breach Investigations 
Report 2020, they account for 43% of attacks against 
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Flag — astring with a strictly defined 
format, which is used in CTF (Capture 
the Flag) cybersecurity competitions. 
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Attack-Defence CTF — a CTF competition 
where teams are required to defend 

their services (i.e. prevent them from 
being attacked by other participants) 

and, at the same time, attack opposing 
teams’ services by taking advantage 

of their vulnerabilities. To win points, 
players must ‘capture’ the opponent's 

flag, which proves that the vulnerability 
has been exploited successfully. 


Red Teaming — a cybersecurity exercise 
that simulates an attack on the existing 
(oXo)g ole) eclicm lalate lsieauleiselacme)yalaaliccieare 
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by hacker groups. 


In 2020 featured attacks 
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Scenario 2. 
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The second scenario consisted of two rounds, each of which 
included tasks aimed at practising response actions 

to the identified cybersecurity incident, though, with different 
approaches applied. 


According to the first-round legend, CyberCorp discovered 
that its infrastructure had been compromised given 
idarouale|aa)|e\-1me)irelale)aal-ll(-smAmiaiomele]telel0] ae miei il(omm Malomelatcle- [ellos 
of those anomalies suggested that the attack might be 
associated with a widely known APT1337 group. CyberCorp’s 
cybersecurity team isolated one of the suspicious hosts from 
the corporate network and collected artifacts for investigation. 


The participants had to analyse the artifacts and solve the tasks 
ohare }e) ©)\valale mc laNmleleliswe\VZclltclelior 
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to apply and develop classic forensics skills, when all 

the necessary artifacts are collected after the attack and 

the response team is trying to trace the incident. This is what 
is known as the reactive approach. 
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a cybersecurity incident, CyberCorp purchased and rolled out 
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infrastructure, with agents installed on all the workstations 
and servers. The extended telemetry gathered by such 
endpoints was sent to the centralised Threat Hunting platform 
for proactive threat detection. The company also invited 

a team of expert analysts to build a detection process based 


on the Threat Hunting approach. 


Endpoint Detection and Response 
(EDR) — a solution designed to detect 
and respond to cybersecurity incidents 
at endpoints (workstations and servers). 
EDR collects, processes and analyses 
extended telemetry from endpoints 

with the purpose of detecting abnormal 
activity; and provides a variety of tools 
to respond to such activity (both 
automatically and upon request). 











There was some information published on the web about a new 
technique used by attackers to gain a foothold in the system — 
better known as Persistence. One of the experts decided 

to check whether this method was employed in the CyberCorp 
attack. The hypothesis proved true: one host in the infrastructure 
was found affected by this technique. 
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By analysing the telemetry collected on the Threat Hunting 
platform, the teams had to understand how the threat 

actor had infiltrated the infrastructure and piece together 

the sequence of their actions. 


While Threat Hunting is not an alternative to traditional 
forensics, proactive collection of security events as well as 
the ability to quickly obtain artifacts from the EDR agents, 
can speed up, simplify and improve incident response 
elalemlaNcersialeclielay 


According to the SANS 2019 Threat Hunting survey, many Dwell Time — the median time between 
organisations have not yet realised the essence of proactive he aah Spc incuehaurcl il cis 
detection of vulnerabilities and what benefits they get with this 

technology. Therefore, when developing the second scenario, 
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the hypothesis-based method will help the participants 

gain the required experience and enhance their trust in this 
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in real life will help security specialists reduce the Dwell Time. 


According to the FireEye M-Trends annual reports, the Dwell 
Time has been reducing in the last 3 years. In 2017 this metric 
Stood at 101 days, in 2018 — 78 days and in 2019 it dropped 

to 56 days. FireEye attributes the reduction to two major factors: 
daromexe)alelalelelelomianl@)ge)',-100(-10lae)m anle)alice)a|aleme)celer-1e] 0] «-1ow-] Alem (@le)|sy 
and the growth in the number of incidents involving ransomware 
and cryptocurrency miners which are, by their destructive 

nature, easily detectable. There is no doubt that the evolution 

of such disciplines as Threat Intelligence and Threat Hunting, 
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contributed to the improvement. Thus, around 70% of the SANS 
respondents ascribe the decrease in Dwell Time to the an) 
Taa)e)(claatcialtclu(e)ame)mmnaltcrolaml0lalelale me lmsalcilme)erclalisy-1e)arcy 





101 to 56 days 
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Results 
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to set off a competition between the participants and keep their results 
confidential. However, the teams could compare their progress with the others 


using the scoreboard. The table below shows 10 teams (out of a total of 120) 


with the highest score. 


Rating 


Team 
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Team 41 


Team 33 
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Total Score 


max: 2700 


ISAS: 


1261 


VAR 
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Conclusions 
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results achieved by the participants: 
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It was not clear until the end of the exercise who would take 
the first place. Different teams were leading at different 
Stages, which means that none of them could fully utilise 
the techniques at their disposal. 


The exercise allowed the participants to identify their strengths 
and weaknesses. We hope that the received information 

will help them create plans for developing the necessary 
competencies and improve their results in the future. 
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delivered the best results 


Banks and companies from the IT industry demonstrated 

the highest resilience. Security assessment expertise 

in these sectors Is quite well developed, with classic forensics a 
and Threat Hunting widely applied. Mase 


Specialists are better | 
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27% of the teams had difficulties earning points for the first 
scenario, which allows us to conclude that some of the team 
members lack or have insufficient expertise in Security 
assessment and protection of web applications. 


At the same time, all the participants were awarded points Py. 
for the first round of the second scenario, which is indicative | 

of each team having at least one expert who is competent 
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for the second round of the second scenario. We attribute 
this to Threat Hunting being a relatively novel approach 
and the majority of organisations lacking experience 
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the potential for developing teams and tools within 
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to classic forensics and cannot replace it, but we showed 
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More effort in preparation — 
better result 


The best results were predictably achieved by the teams 

who had asked many questions during the preparation 

and familiarised themselves with the new techniques 

and defences beforehand. We hope that our Cyber Polygon 
publications as well as other hosted events, will increase future 
participants chances of succeeding and effectively countering 
cyberattacks. 





oaV/ ol=19 oe) hielo) anexelan| 








